From patchwork Tue May 9 14:42:33 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98922 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857443qge; Tue, 9 May 2017 07:43:16 -0700 (PDT) X-Received: by 10.99.112.68 with SMTP id a4mr530220pgn.198.1494340996733; Tue, 09 May 2017 07:43:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494340996; cv=none; d=google.com; s=arc-20160816; b=nZR4k2J9llfzmIWZfaK2tfaIhueeJlXoFyezoZ0f0eOabkdL9VT9vwjszt1kay0b0w 8uGd0MOoRs6BxYG8qFAizlFef48ILIaIHhHjtCJkV/CNlARH/zZzvxWKvJBWdO7eWZ5E zkSnBHt/HWMAYLcoSc0RnYrY+nC5502CsBByaOIr9DJum5rJl3XKfJHI/4ALlnW67Fs1 i+AqwjrxavmYPqSf6tP2O0kdzRN9HNSynBswvaFqjadhKOPljy16/0cQrt/BjuGSC8P3 IIC2R6aHH3ofhXTJZr96WlRtcphGa3GW3vWwMlgiUUZYyy6hsHamV5OEYuHar3zk8xAV iozQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=17a+O9eSxUL0Uc53h3gL5IZoZ0G6ciK1Vuy5uxei0gs=; b=FJZnfmgGNlEiPLgGd+LvAv2fgMx639m2hEr7bhCUw45PILZi3xrSITcOo25KYBc+ba P8KEpgGlhVuBLG0b0qtqjOWRgqSuUiigLLgZ7nVdJ+ts0FM8mIsu4/vwVhwtvnMf0qim YG4FOy7r25R/yIJo/3fnXgYBVpqGEIg29fFPGS/4lvfOSKHqw9ZCX1F9pus7u2dxyaKo /IPNVuNRWPgdgIuQ8q5X9AR+xH3SI2YD3SaVKJEqMCMEmbFPxIE8RRChAX7NGBmvzLlD ejtj8PbHc02EKIsT0Tkd+D6GQPCS/RIAuVEjXAxKoqmA3xCSqCvQPb3adYznpMWzs3YH qSFw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34si113540pla.121.2017.05.09.07.43.16; Tue, 09 May 2017 07:43:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754007AbdEIOnQ (ORCPT + 6 others); Tue, 9 May 2017 10:43:16 -0400 Received: from mail-pf0-f171.google.com ([209.85.192.171]:33808 "EHLO mail-pf0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753957AbdEIOnP (ORCPT ); Tue, 9 May 2017 10:43:15 -0400 Received: by mail-pf0-f171.google.com with SMTP id e64so1183760pfd.1 for ; Tue, 09 May 2017 07:43:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=17a+O9eSxUL0Uc53h3gL5IZoZ0G6ciK1Vuy5uxei0gs=; b=Wn3Y3G/uyLYT2tIychFieYpXG+tsiQmgq4OmtdJ5sHSE+ZzZ01xT+W6DCzIYXVJ9dD cz9kNcewEuCdxCbHAHvqi7JhVVvYW9/PbVv2xGHHiV3oj4zpOMaQaSdlBKjWJjrjlV00 ZMzN4m6Yq0PlF084wO39t7ZsZ5Qa3yUzeqckA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=17a+O9eSxUL0Uc53h3gL5IZoZ0G6ciK1Vuy5uxei0gs=; b=cswgaRpoG5nHDmHm4wBOaMMkSEnvB43Kp+6lwj+eaMCqOznYHy3Sli5q5ROudhE2C/ Y5cLz2QEn/hF3/r7vrCgY88CaCJtQf03jYn2cVcSNKwQXMkN05k1jTyG5Q4ohV5KMpw5 BZ6W/H2h+o/p91p7dQlR+1MVv+abf6SHHfDC9Elqu+bEachZ9m5NN+gIJPeVJoQ4H4BM 6k8V07/5z6xUOI/iCinoDiBGdvetu4QGrbwKFhGR4g4B7XM4f/iTgXHSYRQfM0hSaAn4 JvH1wEKbzAa/QzU0FYN9wjkHL6GMxNTUWrhLB62Mwx556XUTcQHk0iJ3HgpMTT2DwwuH BQsQ== X-Gm-Message-State: AODbwcD/LYMEFoLvjxvf86oRIPdf0qgykln+JIEjdaz2igPcmfABku90 AnE/E9JNOKX0Nj4D X-Received: by 10.98.152.214 with SMTP id d83mr277900pfk.7.1494340994626; Tue, 09 May 2017 07:43:14 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:14 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Peter Hurley , Tilman Schmidt , Sasha Levin Subject: [PATCH for-3.18 09/24] tty: Prevent ldisc drivers from re-using stale tty fields Date: Tue, 9 May 2017 20:12:33 +0530 Message-Id: <1494340968-17152-10-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Peter Hurley commit dd42bf1197144ede075a9d4793123f7689e164bc upstream. Line discipline drivers may mistakenly misuse ldisc-related fields when initializing. For example, a failure to initialize tty->receive_room in the N_GIGASET_M101 line discipline was recently found and fixed [1]. Now, the N_X25 line discipline has been discovered accessing the previous line discipline's already-freed private data [2]. Harden the ldisc interface against misuse by initializing revelant tty fields before instancing the new line discipline. [1] commit fd98e9419d8d622a4de91f76b306af6aa627aa9c Author: Tilman Schmidt Date: Tue Jul 14 00:37:13 2015 +0200 isdn/gigaset: reset tty->receive_room when attaching ser_gigaset [2] Report from Sasha Levin [ 634.336761] ================================================================== [ 634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0 [ 634.339558] Read of size 4 by task syzkaller_execu/8981 [ 634.340359] ============================================================================= [ 634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected ... [ 634.405018] Call Trace: [ 634.405277] dump_stack (lib/dump_stack.c:52) [ 634.405775] print_trailer (mm/slub.c:655) [ 634.406361] object_err (mm/slub.c:662) [ 634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236) [ 634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279) [ 634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1)) [ 634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447) [ 634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567) [ 634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879) [ 634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607) [ 634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613) [ 634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188) Cc: Tilman Schmidt Cc: Sasha Levin Signed-off-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman Signed-off-by: Amit Pundir --- drivers/tty/tty_ldisc.c | 7 +++++++ 1 file changed, 7 insertions(+) -- 2.7.4 diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c index 2d822aa259b2..2bf08366cd5b 100644 --- a/drivers/tty/tty_ldisc.c +++ b/drivers/tty/tty_ldisc.c @@ -414,6 +414,10 @@ EXPORT_SYMBOL_GPL(tty_ldisc_flush); * they are not on hot paths so a little discipline won't do * any harm. * + * The line discipline-related tty_struct fields are reset to + * prevent the ldisc driver from re-using stale information for + * the new ldisc instance. + * * Locking: takes termios_rwsem */ @@ -422,6 +426,9 @@ static void tty_set_termios_ldisc(struct tty_struct *tty, int num) down_write(&tty->termios_rwsem); tty->termios.c_line = num; up_write(&tty->termios_rwsem); + + tty->disc_data = NULL; + tty->receive_room = 0; } /**